System Engineer

Our client, a global leader in the Sports and Entertainment space, has an immediate long-term (open-ended with the possibility of conversion at some point) contract position for an Endpoint and Identity Security Engineer to join their world-class team!

This role works 3 days in the office (Frisco) and 2 remotely, with some off-hours/weekend availability required. Only US Citizens or Green Card holders will be considered.

We are seeking an experienced Endpoint & Identity Security Engineer to serve as the Tier 3 technical authority for device posture, compliance policy, and authentication platform engineering across our enterprise environment. This is a hands-on engineering role—you will own the architecture, build, testing, and deployment of solutions across Microsoft Intune, Duo Security, and Entra ID, while our Support and HelpDesk teams handle day-to-day operations and first-line escalations.

Our environment spans Windows, macOS, iOS, and Android devices, with JAMF as the management platform for Apple devices and Intune managing Windows and Android. A strong candidate will bring genuine cross-platform depth and the ability to understand how these platforms interact—particularly the integration points between JAMF, Intune, Entra ID, and Duo. We have active workstreams in flight across all of these areas, and the right person will be ready to contribute immediately.

Equally important is the ability to operate effectively across teams. This role presents solutions to IT Directors and Management, trains and enables Support staff, and collaborates directly with our Security team and CISO. The ability to communicate technical risk and impact clearly—both up and down—is a core expectation of the role, not a secondary skill.

Key Responsibilities

Endpoint Management & Device Configuration

• Design, build, and maintain device enrollment architectures, configuration profiles, and compliance policies in Microsoft Intune across Windows, iOS, and Android platforms.
• Own and drive the strategy for managing Windows devices, including the current initiative to move from hybrid Entra-joined endpoints to a fully Entra-joined and Intune-managed architecture.
• Manage and maintain Android enterprise device infrastructure, including kiosk-mode deployments for venue and operational use cases; manage Google Play account administration; and own the active Android BYOD management deployment—an immediate priority for this role.
• Maintain a solid working knowledge of JAMF and its role in the overall endpoint architecture, including configuration management for macOS and iOS, the JAMF–Entra compliance connector, and how JAMF-managed device posture supports Conditional Access enforcement. Integration with the JAMF Specialist and full situational awareness of the Apple device ecosystem are firm expectations of this role.
• Collaborate with the JAMF Specialist on cross-platform compliance, authentication integration, and Apple Platform SSO as it relates to Entra ID and Conditional Access.
• Ensure Microsoft Defender for Endpoint posture signals are properly integrated into device compliance policies and Conditional Access logic across Windows and macOS.

Identity Security & Authentication Engineering

• Engineer and maintain Duo Security deployments across the organization, including MFA, trusted devices, Duo Desktop device health checks, and ongoing evaluation of the Duo Passwordless capability in the context of our Entra ID environment.
• Lead the implementation and operationalization of Duo as an External Authentication Method (EAM) for Entra ID, managing the technical integration, policy design, and rollout in partnership with the Security team.
• Build, test, and deploy Conditional Access policies in Entra ID; own associated group structures scoped to policy requirements; and maintain policy integrity as the environment evolves.
• Evaluate emerging Duo platform capabilities and assess fit within our authentication architecture, ensuring Duo and Entra remain properly aligned without duplicating or conflicting with existing SSO infrastructure.

Security Posture & Compliance Policy

• Design and implement device compliance policies guided by NIST and CIS benchmarks, applying controls that strengthen security posture without disrupting critical business operations.
• Partner with the internal Security team and external security consulting firm to evaluate recommended security controls and translate accepted requirements into deployable configuration profiles across managed platforms and approved browsers.
• Participate in efforts to remediate device posture when remediation paths involve configuration profile changes, compliance policy updates, or Conditional Access modifications.
• Maintain consistent compliance policy coverage across all managed device types and operating systems, with clear traceability to Conditional Access enforcement logic.

Escalation & Availability

• Serve as the Tier 3 escalation point for endpoint management and identity security issues that exceed the support team's resolution capability; provide timely, thorough resolution with appropriate documentation of findings and outcomes.
• Participate in the on-call rotation as assigned. Because this role covers MFA, device compliance, and endpoint access in a busy venue and operations environment, you are expected to be more available and responsive even outside of your scheduled on-call periods.

Qualifications

Required Experience & Skills

• 5 years of hands-on experience in endpoint management, device security, and identity platforms in enterprise environments, with demonstrated progression in scope, complexity, and ownership.
• Deep expertise with Microsoft Intune across the full configuration lifecycle: enrollment, configuration profiles, compliance policies, app deployment architecture, and Conditional Access integration.
• Hands-on Duo Security experience in an enterprise deployment, including MFA policy management, device trust, and platform integrations with identity providers.
• Meaningful experience with JAMF in an enterprise environment—sufficient to understand platform architecture, configuration management for macOS and iOS, and integration with Entra ID for compliance and Conditional Access.
• Demonstrated experience managing mixed-platform environments: Windows, macOS, iOS, and Android.
• Solid working knowledge of Microsoft Entra ID, including Conditional Access policy authoring, group management, and identity integration patterns.
• Familiarity with NIST and CIS security frameworks as applied to endpoint compliance and device posture.
• ITIL v4 Foundation—A structured approach to change management and service operations is required.
• Strong written and verbal communication skills; demonstrated ability to present technical solutions and risk assessments to non-technical IT leadership.

Preferred Certifications

• Microsoft MD-102: Endpoint Administrator
• Microsoft SC-300: Identity and Access Administrator
• Duo Security certification
• JAMF Certified Associate or higher

Nice to Have

The following skills are not required but represent areas where additional experience will accelerate contribution in our environment:

• General SysAdmin background: on-premises Active Directory, Group Policy (GPO), DNS, SSL Certificate lifecycle management, VMware
• Cisco Identity Intelligence
• PDQ Connect
• Qualys or Automox
• Microsoft 365 platform breadth (Exchange Online, Teams, SharePoint, Purview, etc.)
• SCEP and Network Device Enrollment Service (NDES)
• Entra SSO and App Registrations
• Team Dynamix ITSM

Work Environment

• Hybrid schedule: 3 days on-site in Frisco, TX / 2 days flex remote. On-site presence supports proximity to Support staff, the HelpDesk, and IT Management and is a firm requirement of the role.
• Member of a 5-person Enterprise Technology team with shared ownership and peer backup coverage expectations. This role is expected to provide informal mentorship to Support staff and serve as a knowledge resource across the endpoint and identity domain.
• Dynamic sports and entertainment environment with operational demands tied to live events. Availability and responsiveness outside of standard business hours are part of the culture and expected of this role.